In a 2 Dec twitter conversation https://twitter.com/GenodeLabs/status/671941252162678784, I was invited to elaborate here; so...
I wholeheartedly agree when the Genode book http://genode.org/documentation/genode-foundations-15-05.pdf says:
*Capability-based security* supposedly makes security easy to use by
providing an intuitive way to manage authority without the need for an all-encompassing and complex global system policy.
I don't understand why ignore this principle with the hello world code example:
#include <base/printf.h>
int main() { Genode::printf("Hello world\n"); return 0; }
Why appeal to ambient authority to print to the console? Why not pass a capability to main, as pony does with env https://github.com/CausalityLtd/ponyc/blob/master/packages/builtin/env.pony, capsicum at cap_enter() http://lwn.net/Articles/482858/, etc?
At lower levels of the architecture, genode has this structure; e.g. 3.5 component creation:
The environment is constructed by successively requesting the component’s
RM, RAM, CPU, and PD sessions from its parent.
Why not continue this structure in the base API?